Security News: August 28, 2019 – PSW #618

 

 

 

In the news, we discuss how AT&T employees took bribes to plant malware on the company’s network, how hackers could decrypt your GSM calls, 80 suspects charged with massive BEC scam, and how the passports and licenses of 300 people were leaked in New Zealand!

Full Show Notes: https://wiki.securityweekly.com/Episode618

Visit https://www.securityweekly.com/psw for all the latest episodes!

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

 

Security News: August 28, 2019

Paul’s Stories

  1. Bug Bounties Continue to Rise, but Market Has Its Own 1% Problem
  2. A total of six hackers already become millionaires on HackerOne
  3. New Botnet Targets Android Set-Top Boxes
  4. Unsecured IoT: 8 Ways Hackers Exploit Firmware Vulnerabilities
  5. Hacker Jeopardy, Wrong Answers Only Edition
  6. Second Steam Client Zero-Day Disclosed in a Week
  7. Identifying vulnerable IoT devices by the companion app they use – Help Net Security
  8. How to avoid using RDP in Windows
  9. Asset Management Becomes the New Security Model – Dark Reading
  10. DLL Hijacking Flaw Found in Bitdefender Antivirus Free 2020 | SecurityWeek.Com
  11. LinkedIn Details Features of Fight Against Fakes
  12. Bypassing CSRF Protection
  13. Humans may have been listening to you via your Xbox
  14. Why Your Free Dark Web Scan Doesnt Matter
  15. Harnessing Stunt Hacking for Enterprise Defense | SecurityWeek.Com
  16. 5 Ways to Improve the Patching Process

Larry’s Stories

  1. Android ad clicking – A notepad app and a fitness app downloaded on more than a million devices have been secretly clicking on ads without people knowing for nearly a year, security researchers found.
  2. 2FA defeats 99.9% of all cyber attacks – Microsoft says that systems that leverage multi-factor authentication block nearly all automated cyberattacks, not just on Microsoft platforms – on any online service or website.” Unless you uses SMS and sim swapping happens….
  3. Android settop boxes prime for malware – IoT botnets move into the home theater market in search of low-hanging fruit…
  4. Camscanner Android Malware – Android Camscanner PDF creator with more than 100 million downloads from the official Play Store has been caught silently installing malware on victims’ phones.
  5. My password is Oyster… – London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard. He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password.

Jeff’s Stories

  1. AT&T employees took bribes to plant malware on the company’s network
  2. Snake oil or genius? Crown Sterling tells its side of Black Hat controversy
  3. Cybersecurity vendor that protects firms from data breaches hit by data breach

Lee’s Stories

  1. KNOB Attack Lets Hackers Insert themselves into your Bluetooth Calls KNOB attack expoits CVE-2019-9506 forcing one bite of entropy, allowing for brute force the key. Bluetooth core updated for minimum key of 7 octets. No publicly available exploit code (yet).
  2. Hackers Could Decrypt your GSM Calls Attack leverages weaknesses in the key exchange with the cell tower. Albeit a stingray attack is easier.
  3. Legit-Looking iPhone Lightning Cables will hack your Computer Cable has hotspot and multi-payload capability. Leverages USB device trust settings. O.MG Cable will become available through Hak5. Other cables on radar for similar implementation. MG DEFCON Blog
  4. Adult Site Luscious Data Breach PII of over 1 million users compromised, including .gov email addresses.
  5. Scammer tricks city of Saskatoon in BEC City tricked into sending over $1 million. Target accounts in Canada frozen, retrieval underway.
  6. 80 Suspects Charged with massive BEC Scam 14 arrests made across the us of Nigerian nationals. $6M taken, $40 more atempted via BEC, Romance Scams and other schemes that target the Elderly.
  7. Apple releases updates to iOS, MacOS and tvOS CVE-2019-8605, use after free code execution flaw discovered by Ned Williamson and Project Zero, fixed in iOS 12.4.1, macOS 10.14.6 suplimental update and tvOS 12.4.1.
  8. Passports, Licenses of 300 leaked in New Zealand New Zealand Ministry for Culture and Heritage had 300 individuals records exposed due to a coding error. Detected only after attempted fraudulent use of the data.

Hosts

Jeff Man
Jeff Man – Sr. InfoSec Consultant
Larry Pesce
Larry Pesce – Senior Managing Consultant and Director of Research
Matt Alderman
Matt Alderman – CEO
Paul Asadoorian
Paul Asadoorian – Founder & CTO

Guests

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
  • Some of you told us that you are overwhelmed by the amount of content we distribute! In an attempt to make it a little easier for you to find what you’re interested in, we’ve created our new listener interest list! Sign up for list and select your interests by visiting: securityweekly.com/subscribe and clicking the button to join the list! You can also now submit your suggestions for guests in our recently released guest suggestion form! Go to securityweekly.com/guests and enter your suggestions!